Why Healthcare Should Sweat “The Small Stuff” When It Comes to Health Data Security

In the five years since the passing of the 2009 HITECH Act, more than 30 million people in over 900 various cases have been affected by breaches of secure healthcare data. The HITECH Act requires that HHS disclose to the SEC any incidents affecting more than 500 patients, but these numbers alone do not tell the whole story. In a 2012 report to Congress, HHS disclosed that approximately 165,000 additional victims had been involved in ‘smaller incidents’ that fell below the 500 victim threshold.

In the five years since the passing of the 2009 HITECH Act, more than 30 million people in over 900 various cases have been affected by breaches of secure healthcare data. The HITECH Act requires that HHS disclose to the SEC any incidents affecting more than 500 patients, but these numbers alone do not tell the whole story. In a 2012 report to Congress, HHS disclosed that approximately 165,000 additional victims had been involved in ‘smaller incidents’ that fell below the 500 victim threshold.

The turbulent rollout of public health insurance exchanges with many questioning the amount of focus dedicated to ensuring their security

Discovery of the Heartbleed bug, which caused massive vulnerability across the Internet and sent millions of consumers scrambling to change their online login credentials

The theft of 4.5 million patient health records from Community Health Systems (CHS) made possible by Heartbleed. This was the second largest breach of health records ever in the U.S. and has many in the healthcare industry fearfully anticipating future attacks made possible by information stolen through the vulnerability

Hackers successfully breach the Healthcare.gov website and leave behind malicious software. Though no patient data was believed to be taken, many are worrying about further attacks as a new enrollment period approaches and the exchange is flooded with new patient information

Not all data breaches are achieved by web-based means, however. Below are the seven incident categories for health data security breaches being tracked by HHS (Note that some incidents fall under more than one classification):

Like the CHS incident, criminals are targeting social security numbers (which in turn are used to steal identities) and creating fraudulent credit cards, passports, and bank accounts

In other instances, the goal is electronic Protected Health Information (ePHI) or Electronic Medical Records (EMRs) which provide criminals with the information needed to fraudulently receive healthcare services under the guise of being insured – an $80 billion per year problem for the public insurance sector alone

We’re intrigued by the implications of healthcare data breaches and where best-in-class solutions can emerge to mitigate risk as our society ages and Medicare ranks swell, and as the volumes of newly insured patients seeking care and the related flow of information accelerates. While this is often not a major topic of conversation in healthcare circles, data security and data privacy vulnerabilities represent a tremendous systemic risk and are becoming more of a threat as health data continues to become digitized. In an upcoming report, TripleTree will assess some other potential but less obvious consequences of healthcare data security issues. Until then, let us know what you think.